Today we shared more powerful ways for people to stay connected and get more done together with Google Workspace—at home, at school, and at work. As hybrid work becomes the norm for many employees, security, data privacy, and trust continue to be the foundation that make anywhere, anytime collaboration possible. Google has been focused on these areas since the beginning, and today we’re announcing several ways that we’re strengthening this foundation in Google Workspace.
We’ve long been advocates for making the web a more trusted place for everyone. In 2004, we launched Gmail with a mission to defeat spam, and a few years later we created Safe Browsing, which now helps protect users on more than 4 billion devices every day. Earlier this year, as the world of work continued to evolve, we launched BeyondCorp Enterprise, a zero-trust solution that enables secure access to apps and services for all kinds of workers from anywhere. And we’ve also continued to find new ways to strengthen encryption to keep our customers and users safe while protecting their data—whether it’s by pioneering encryption in transit for email and browsing, turning HTTPS on by default in Chrome, or flagging sites that lack encryption.
Our new security and privacy innovations help Google Workspace customers realize the full power of trusted, cloud-native collaboration.
Stronger privacy and data security with Client-side encryption
By launching Google Workspace Client-side encryption, we’re helping customers strengthen the confidentiality of their data while addressing a broad range of data sovereignty and compliance requirements. Google Workspace already uses the latest cryptographic standards to encrypt all data at rest and in transit between our facilities. We’re taking this a step further by giving customers direct control of encryption keys and the identity service they choose to access those keys. With Client-side encryption, customer data is indecipherable to Google, while users can continue to take advantage of Google’s native web-based collaboration, access content on mobile devices, and share encrypted files externally. When combined with our other encryption capabilities, customers can add new levels of data protection for their Google Workspace data.
Client-side encryption is especially beneficial for organizations that store sensitive or regulated data, like intellectual property, healthcare records, or financial data. It can help meet data sovereignty requirements and compliance requirements for ITAR, CJIS, TISAX, IRS 1075, and EAR.
But as Airbus notes, Client-side encryption can help organizations do much more than meet compliance requirements:
“At Airbus, we’re already using Google Workspace Client-side encryption to protect our most critical company data. The ability to fully control our own encryption keys while benefiting from Google’s best-in-class productivity tools has been an essential enabler of our digital transformation. Client-side encryption is a cornerstone of our modern information governance strategy.” — Andrew Plunkett, Head of Digital Workplace, Airbus
In order to maintain the segregation of duties, enabling Client-side encryption requires you to choose a key access service partner: Flowcrypt, Fortanix, Futurex, Thales, or Virtru. Each of these partners have built tools in accordance with Google’s specifications and provide both key management and access control capabilities. Your partner of choice holds the key to decode encrypted Google Workspace files, and Google cannot access or decipher these files without this key. If you prefer to build or integrate your own in-house key services, we will be publishing the key access service API specifications that can be used with Client-side encryption later this year.
We’ll be rolling out a beta for Client-side encryption in the coming weeks for Google Workspace Enterprise Plus and Google Workspace Education Plus customers. Client-side encryption will initially be available for Google Drive, Docs, Sheets, and Slides, with support for multiple file types including Office files, PDFs, and more. Interested customers can sign up now for the beta.
We’re committed to a roadmap that enables Client-side encryption across Google Workspace, including Gmail, Meet, and Calendar. Support for Google Meet is coming in the fall. Stay tuned for more details!
More control over secure collaboration with trust rules for Drive
Because sharing ideas and information is at the heart of trusted collaboration, it’s critical that you have the ability to powerfully and precisely manage your files to ensure they’re always in the right hands. That’s why we’re giving admins more choices when it comes to setting rules for how files can be shared with trust rules for Drive.
Trust rules gives admins more control over how files can be shared, both within and outside of their organization. With these new rules in place, admins can enforce restrictions that limit internal and external sharing. Specific rules can even be set for organizational units and groups, allowing a more granular approach than enforcing blanket policies on every user.
The beta for trust rules for Drive will be rolling out in the coming months and will be available for Google Workspace Enterprise and Google Workspace Education Plus customers.
Enhanced data loss prevention and classification with Drive labels
With Drive labels, users can classify files stored in Google Drive to help ensure they’re handled correctly. Drive labels integrates with Google Workspace’s data loss prevention (DLP) capabilities so admins can set rules at the appropriate sensitivity level as well as Google Vault, allowing admins to set retention policies for a given sensitivity level. And even if users forget to classify content on their own, files can be classified automatically based on administrator defined DLP rules. Customers can also now benefit from 60 new content detectors, including several powered by machine learning capabilities for improved detection. Examples of new detectors include identification of resumes, SEC filings, patents, and source code, allowing administrators to block egress of such data types. Drive labels can be used with Drive DLP to prevent external sharing, downloading, and printing of classified files.
Drive labels is now available in beta for Google Workspace Business Standard, Google Workspace Business Plus, Google Workspace Enterprise, Google Workspace for Education Standard, and Google Workspace Education Plus customers. Interested customers can sign up now for the beta. Automated classification through DLP is available to Google Workspace Enterprise Standard, Enterprise Plus, and Education Plus customers.
New phishing and malware content protection for Google Drive
Every Google Workspace customer already benefits from the built-in protections in Google Drive that help block phishing and malware content from external users and organizations. In the coming weeks, we’ll be taking this a step further by enabling all Google Workspace admins to implement this protection for content within their organizations, helping to safeguard against insider threats and user error. If abusive content is found, the relevant file is flagged and made visible only to admins and the file’s owner. This prevents sharing and reduces the number of users potentially impacted by the abusive content. All Google Workspace editions will include this new phishing and malware content protections.
These Google Workspace innovations further our longstanding mission to protect and secure anywhere, anytime collaboration. They help our customers realize the full potential of a trusted, cloud-native platform that’s built for the evolving hybrid work environment. Client-side encryption is an especially important development for Google Workspace. When combined with our other encryption capabilities, it provides our customers—even in the most heavily regulated industries—with additional controls, safeguards, and peace of mind.